[HN Gopher] FBI Palantir glitch allowed unauthorized access to p... ___________________________________________________________________ FBI Palantir glitch allowed unauthorized access to private data Author : grej Score : 184 points Date : 2021-08-26 15:49 UTC (7 hours ago) (HTM) web link (nypost.com) (TXT) w3m dump (nypost.com) | Threeve303 wrote: | The government believes it can create a surveillance state and at | the same time retain control over the data created by its civil | rights violations. Also, if the company wouldn't exist without | government funding either directly or indirectly then the third | party doctrine should not apply. | A4ET8a8uTh0 wrote: | Tbh, this may end up our only saving grace when it comes to | setting up a panopticon: incompetence and basic human nature. | clarkmoody wrote: | Need a few more major leaks of private information of | politicians and regulators. | | And of course we have the nightmare scenario in Afghanistan | with a US database falling into the hands of the Taliban. | Hoping that only "the right people" have access is the worst | form of assurance against abuse. | abecedarius wrote: | https://en.wikipedia.org/wiki/Office_of_Personnel_Managemen | t... | | Hard to overstate this one. So more leaks is not, by | itself, enough to make changes happen. | queuebert wrote: | Is this why some insiders recently dumped a bunch of PLTR? | [deleted] | londons_explore wrote: | The real "fix" for this issue will be to adjust the logging | rentention policies to 24 hours. | | Then nobody can prove who/what/why data was illegally accessed. | | And if some judge forces you to turn over those 24 hours worth of | logs, you fix the ACL's and respond to the judge tomorrow, when | the logs show nothing unwanted. | mandevil wrote: | A) Judges generally don't take kindly to be played for fools. | Do this and you make a judge very very angry, which is not good | for whatever you want the judge to do. | | B) The FBI doesn't keep logs of who accessed what because a | judge wants it. They keep logs on who accessed what because | they want to know who leaked documents to reporters. Something | like the Fincen Files leak: | https://en.wikipedia.org/wiki/FinCEN_Files is investigated by | figuring out everyone who opened the files in question. | | The FBI has even more important information than this, in | particular the identities of confidential informants and | undercover agents. Those cases are actually more complex | because they are highly protected- with good reason, if someone | unauthorized accesses this data it can get people killed- but | desperately need to deconflict: there have been cases where a | FBI office in City A was using a undercover agent to try and | trap drug smugglers in City B, while a confidential informant | in City B was trying to trap gun runners in City A, and no | actual criminals were involved. | 01100011 wrote: | I keep seeing folks hype Palantir, usually to promote the stock, | and I keep wondering what is so special about what is essentially | a software design services firm/body shop. Is there something I'm | missing? | babesh wrote: | Because most other tech companies (except a few of the very | biggest ones) won't touch that business with a 10 foot pole. | They have all that business for themselves. Fat profits for | tech that doesn't have to be awesome. | jasonhoch wrote: | Palantir responded in a statement to TheStreet.com: "There was no | glitch in the software. Our platform has robust access and | security controls. The customer also has rigorous protocols | established to protect search warrant returns, which, in this | case, the end user did not follow." | | Source: https://www.thestreet.com/investing/palantir-shares-data- | acc... | TechBro8615 wrote: | Ah, the famous "Cambridge Analytica Cop-Out," invented by | Facebook but perfected as an art by blameless multinational | congolomerates. | LeifCarrotson wrote: | If you can gain unauthorized access by simply choosing not to | follow a protocol that says you don't have access, there aren't | really any access controls in the software at all. | SevenSigs wrote: | Ive seen videos of Palantir's software in action and it | doesnt appear to be very sofisticated | TaupeRanger wrote: | No - the FBI didn't use the access controls correctly, that's | the point. If they were used correctly, the unauthorized | access wouldn't have happened. | addingnumbers wrote: | They didn't use the controls at all. To Palantir, inaction | or omission indicate there should be zero controls. | dewey wrote: | It sounds more like the customer should set something to | private but chose not to. Just like if you set your S3 bucket | to public you wouldn't blame Amazon for not keeping your data | private. | eli wrote: | It's better now, but Amazon absolutely deserves blame for | historically making it extremely easy to accidentally make | S3 buckets or files within buckets public. | pestaa wrote: | Cutlery manufacturers absolutely deserve blame for | historically making it extremely easy to accidentally cut | your fingers with their knives. | omegaworks wrote: | If you sell cutlery without a handle and expect your end | users to simply wrap it in a towel before using it maybe | you should share some of the blame when your users hurt | themselves. | weird-eye-issue wrote: | I might be in the minority but I never found the old UI | to be confusing. Public buckets were never the default | and it was pretty clear when you were making the change. | It's good they are making it more dummy proof but I'm not | sure it is fair to say they deserve blame | | As a sidenote I actually find all the new warnings and | stuff annoying (but I'm not saying it isn't worth it all | things considered). As a developer I'm quite used to | having to pay attention to details already - one typo can | be disastrous and there might be no warning (you might | say but that is what a proper CI process is for and | testing but what if that typo is in the CI process or | tests?) | janto wrote: | This looks more like a mess that would happen if S3 buckets | _by default_ were accessible to anyone with an Amazon | account. Which would clearly be a colossal mistake made by | the platform. | dennisblue wrote: | ITT we blame a software company for the sham practices and | requirements of intelligence agencies. | | Yes in any responsible system, there would be mandatory | access controls and default access limits, but I can 100% | guarantee you that the reason these systems don't have those | (and the ones described by Snowden don't either) is because | the intelligence agencies don't want them. They want it to be | easy for their employees and contractors to break the pretend | security that pretends to protect our privacy. | | Knowing this, it's infuriating they would point the finger at | anyone else. Will someone please remind me why we even need | intelligence agencies? | ren_engineer wrote: | sounds more like a feature than a bug, Palantir can blame the | FBI, FBI can blame Palantir. FBI really just wants the ability | to access data they want | nxpnsv wrote: | This sounds a lot like "you're holding it wrong"... | adolph wrote: | Reference for the younguns: | | https://youtu.be/b9eXYOA8TCk?t=117 | AtlasBarfed wrote: | Built-in bypasses to protections of your freedoms and security | theatre that allegedly protects them: | | FUNCTIONING AS DESIGNED | | Yeah, the headline of the article immediately brought to mind | an IT system built by a data-hoovering oversight-averse FBI | funded to self-develop a system to protect that data and | enforce oversight would not... quite... close the loop. | qeternity wrote: | What do you mean the vault was robbed? We put an "Authorized | Personnel Only" sign out front. | leroy_masochist wrote: | It looks like Palantir is blaming FBI's mismanagement of ACLs as | the root cause of what happened here. | 1MachineElf wrote: | The relationship must be very strained already if they are | publicly blaming each other. Customers always blame their | vendors. On the Palantir side, their account/product managers | should be asking whether or not their ACL config is | sufficiently intuitive. If this mistake was easy for a customer | to make, if it's a mistake that couldn't have been avoided | without consultancy, then Palantir should treat it like a | defect. | mcguire wrote: | Ultimately, that's why the customer is paying the vendor. | verall wrote: | It's because the FBI doesn't have any leverage to threaten | palantir for passing the blame. "Government agency is | incompetent" is a very potent narrative that blocks the usual | expectation that cloud products should be difficult to use | insecurely. | | Complaining publicly has no downsides for palantir here. | yasp wrote: | Palantir can host its products on-prem, and for the FBI | very well might have. But where it was hosted wouldn't have | any relevance here. | ErikVandeWater wrote: | > "Government agency is incompetent" is a very potent | narrative that blocks the usual expectation that cloud | products should be difficult to use insecurely. | | Whether the government purchased a defective product that | was insecure or misused a good product, the government | should be held to account for the failure, same as with any | company. | A4ET8a8uTh0 wrote: | Their leverage is contract. Palantir's position as vendor | of choice is kinda limited right now. They don't seem to | service regular corps in US. | | The complaint can have a real ramifications ( loss of | future contracts and so on ). That said, at certain point | enough is enough I suppose. | theknocker wrote: | The FBI is incompetent. The FBI is so incompetent that it | sufficiently explains the phenomena, and the burden of | proof is on the FBI to prove their explanation instead. | sfvisser wrote: | Could as well be. Properly managing access controls for a | complicated data platform might actually be harder than | securing the software to begin with. Setting up protocols for | who is able to access what and why and who is in charge of | changing the config is non-trivial. | yasp wrote: | FBI throwing its vendor under the bus due their own incompetence. | edoceo wrote: | SOP for government | mcguire wrote: | The vendor is claiming the FBI didn't use the product | correctly. | dylan604 wrote: | the person you posted said that the FBI blamed the vendor | becaues of the FBI's incompetence. so why did you feel the | need to say the same thing worded differently? | mcguire wrote: | They are pointing fingers at each other and we have no idea | how valid each claim is. | legerdemain wrote: | People quoting Palantir's CYA response are missing the fact that | Palantir's business model is to embed engineers at customer sites | to deploy, configure, and operate their software. There is a good | chance that the software was misconfigured because Palantir post- | sales engineers misconfigured it. | Dopameaner wrote: | The hacker had some interesting experiences | | > Griffith is accused of violating international sanctions by | traveling to North Korea and delivering a speech about | cryptocurrency. | | > He is charged with helping North Korea circumvent sanctions | through the use of crypto. | mellavora wrote: | No, no, the article is true! | | the glitch is that we allow companies like Palantir to exist. | boredumb wrote: | government is a blunder machine and software is built with bad | defaults? | TaupeRanger wrote: | "glitch" /= user error | rurp wrote: | I don't understand, this seems like a config issue rather than a | software "glitch". Maybe the software has bad defaults, but | that's something the consumer should figure out up front, not | years into using it. | ChrisKnott wrote: | I don't really understand exactly what the FBI breached here...? | | They uploaded (AFAICT, lawfully obtained) evidence into their | FBI-wide system, then it appeared in search results legitimately | because there was a crossover with another investigation. | | The whole point of criminal intelligence systems is to reveal | these kinds of unexpected links isn't it? | | Does the warrant get granted with some kind of limitations on how | the material can be used or who can review it? | | Obviously, they have done something wrong as they have apparently | felt the need to send a mea culpa to the court, but I don't | really see what it is. | slim wrote: | No one asked why other fbi agents accessed his data ? Maybe those | fbi agents were cia snitches ? :) Maybe it's a feature not a | glitch ___________________________________________________________________ (page generated 2021-08-26 23:01 UTC)